Pulse Secure is a “new” company born from the sale of Juniper Networks Junos Pulse product line to Siris Capital, a leading private equity firm. They have a 10+ year understanding of customer needs and goals, and as a standalone company. Pulse Secure now brings additional resources and focus to solve the challenges in enterprise mobility faster than ever before.
- 80% of the Fortune 50 use Pulse Secure solutions - 20K+ customers use Pulse Secure daily - 200+ patents globally
Pulse Secure Products
Connect Secure (aka SSL VPN)
Pulse Connect Secure is the leading SSL VPN solution, enhanced for BYOD mobility, for market-leading seamless connectivity to corporate networks and resources.
NOTE: Previously this product was known as Juniper Networks SA, Juniper Networks SSL VPN and Juniper Networks MAG. This included the SA2000, SA2500, SA4000, SA4500, SA6000 and SA6500. It also includes the most recent Juniper MAG series including the MAG2600, MAG4610, MAG6610 and MAG6611.
Latest Pulse Secure appliances include the PSA300, PSA3000, PSA5000, PSA7000c and PSA7000f.
Pulse Connect Secure supports leading web technologies and technology standards such as HTML5 and IPv6. Plus, its broad Virtual Desktop Infrastructure (VDI) allows for interoperability with leading players such as VMWare, Citrix, and Microsoft.
High performance and scale providing end users seamless and blazing fast end user access to resources
Out-of-the-box host checking and device compliance features for trusted and untrusted device connectivity
Broad Virtual Desktop Infrastructure (VDI) support for leading players such as VMware, Citrix and Microsoft
Rapid innovation to support leading technology standards such as HTML5 and IPv6
Supports market leading web technologies such as HTML5
Pulse Cloud Secure
Pulse Cloud Secure is currently part of Pulse Connect Secure.
Pulse Cloud Secure is the first industry solution that combines user authentication and device compliance for secure access to the data center and cloud.
Single Sign-on (SSO)
Cloud Secure provides industry standard SAML 2.0 based SSO and supports Kerberos Constrained Delegation and NT LAN Manager to connect to legacy applications in the data center.
Compliance for the Cloud
Using Pulse Secure host checking technologies, Cloud Secure verifies compliance of laptops, iOS and Android devices to ensure that only authorized users with trusted devices have cloud and data center access.
Cloud Secure integrates with leading EMM solutions for compliance enforcement and can use Pulse Workspace for BYOD container security.
The Pulse One platform enables centralized management of policy, compliance and authorization for SaaS, cloud and data center access.
Extensible Identity Management
Pulse Connect Secure can serve as a SAML Identity Provider (IdP) and as a SAML Service Provider (SP) enabling easy integration with third party identity management providers.
Cloud Secure eliminates data center hairpinning by only sending authorization and compliance checks to Pulse Connect Secure and sending application data directly to the cloud.
Pulse Workspace (Mobile BYOD Containers)
Pulse Secure Pulse Workspace is helping companies rethink mobility. Pulse Workspace provides a trusted BYOD container for iOS and Android that secures the apps your company needs and gives workers a native user experience that separates work and life.
Policy Secure (aka NAC)
A mobility ready network access control (NAC) and BYOD solution that resides on the network & protects enterprises by seamless enforcement of security policies for all users, devices and applications accessing the enterprise.
NOTE: Previously this product was known as Juniper Networks UAC
Pulse Secure Mobility Client (part of Pulse Connect Secure)
Pulse Secure's unified client provides employees and contractors easy, anytime, anywhere access and security to corporate networks from corporate or personal devices. Industry leading FIPS 140-2 compliant client works seamlessly with Pulse VPN and NAC solutions.
NOTE: This is not a separate standalone product, it is part of Connect Secure.
Same and familiar user experience when working on laptops, desktops and mobile devices
The only integrated smart device client with VPN, NAC, and anti-malware capabilities built-in
One-click easy configuration using automated BYOD gateway onboarding or integrated MDM capability
"Work anywhere" productivity from any smart device - Apple iOS, Android and Windows phone
One-touch VPN experience with iOS On Demand VPN and certificate-based authentication
Pulse One lets IT administrators control enterprise access to the data center and cloud from one console. It enables converged policy management for remote, mobile, and campus access security, as well as unified compliance reporting for laptops, smartphones, and tablets.
Pulse One can be easily integrated with back-office systems such as Microsoft Active Directory. Deployed as Software-as-a-Service (SaaS), it scales and introduces new features without the need for data center logistics and planning
Open allClose all
Pulse Secure Appliances
PSA300 Appliance for SSL VPN users or NAC users. Supports up to 200 SSL VPN or 500 NAC concurrent user sessions.
PSA3000 Appliance for SSL VPN users or NAC users. Supports up to 200 SSL VPN or 500 NAC concurrent user sessions.
PSA5000 Appliance for SSL VPN or NAC users Supports up to 2,500 SSL VPN or 10,000 NAC concurrent user sessions.
PSA7000 Appliance for SSL VPN or NAC users Supports up to 25,000 SSL VPN or 50,000 NAC concurrent user sessions.
NOTE: PSA300 and PSA3000 support similar user counts. Choose the PSA3000 for rackmount environments, greater logging capacity and dedicated management port. Both units cost the same!
The previous Juniper SSL VPN SA and IC product families from Juniper Networks have been EOL’d. The MAG and PSA appliance series are now the supported models. The new PSA appliance models scale from 200 to 35,000 concurrent user sessions.
MAG previously from Juniper Networks has models to support up to 100, 1,000, 20,000 or 40,000 concurrent SSL VPN users.
PSA new from Pulse Secure has models that support up to 200, 2,500 or 25,000 concurrent SSL VPN users.
Juniper SA SSL VPN (SA2000, SA2500, SA4000, SA4500, SA6000 and SA6500) Upgrades
From Juniper Networks SSL VPN SA2000 and SA2500: Upgrade to PSA3000 for double the number of potential concurrent users.
From Juniper Networks SSL VPN SA4000 and SA4500: Upgrade to PSA5000 for more than double the number of potential concurrent users.
From Juniper Networks SSL VPN SA6000 and SA6500: Upgrade to PSA7000 for more performance, greater user support and 10 Gbps support.
Pulse Secure Best Practices
Configuration Best Practices User session security:
Disable session roaming: This feature ensures that if a session cookie is stolen it cannot be reused by a different IP address than the user who first logged in. This lowers the possibility of a session being stolen and reused by an attacker.
Users: (Users --> User Roles --> --> General --> Session Options: Roaming Session, select "Disabled").
Disable persistent sessions: (Users --> User Roles --> --> General --> Session Options: Persistent Session, select "Disabled")
Remove Browser Session Cookie: (Users --> User Roles --> --> General --> Session Options: Remove Browser Session Cookie, select "Enabled")
Disable split tunneling: This will help ensure that all traffic is sent though the VPN connection and that the client is unable to accept connections or talk to other hosts on its local subnet. This lowers the possibility of a client system becoming a gateway or proxy into the secure tunnel. (Users --> User Roles --> --> VPN Tunneling --> Options --> Split Tunneling Options: select "Disable").
Session limits: Ensure that user sessions are limited to a set length. If a session was stolen it would only be active until the session timed out. 24 or 48 hours is a good session length recommendation to start with. (Users --> User Roles --> --> General --> Session Options: Session lifetime lengths).
Launch Pulse as stand alone: If your deployment is such that you mostly use L3 VPN based access AND don't use a browser to access an application through our client-less (web rewriter technology) then you may want to consider a deployment mode where a browser is not used to login to the Gateway or access any feature of the gateway. By doing so you will eliminate any risks that typically come with accessing an application via a web browser.
Use the IP lockout option to block brute force password attacks. Caveat: If your users are accessing the Pulse Secure device through a load balancer or proxy, this will not be viable since they may appear to come from the same IP address. Default values are good for most situations. You can define this to your specific needs if the default isn't sufficient. (Security --> Configuration --> Security --> Miscellaneous: Lockout Options)
ESP encryption strength should be set to 256bit. The default is 128bit. (Users --> Resource Policies --> VPN Tunneling --> Connection Profiles --> --> Connection Settings: Encryption: select "AES256/SHA1")
Server side security:
Port 80/TCP restriction: We recommend putting the Pulse Secure Connect Secure device behind a firewall and only allowing needed ports such as 443/TCP and 4500/UDP to the device. Issues such as SSLStrip prey on port 80–>443 redirects, see KB13903 - Mitigating SSLStrip attack methods on the Secure Access SSL VPN. The caveat is that some users do not know that they need to first type in https:// before the devices domain name and thus must be trained to do this.
Logging: Enable logging to a syslog server. This should be done for each of the following: Events, User Access, and Admin Access logs. (System --> Log/Monitoring --> "Events" / "User Access / "Admin Access" --> Settings: Syslog Servers). Please see KB22227 - [SSL VPN] How to configure the Syslog server for more information on this topic.
Configure NTP (Network Time): Ensure that your system's time is correct as it will help during any future logging investigations. (System --> Status --> Overview --> "System Date & Time" --> click "Edit" --> Time Source --> "Use NTP Server": Fill in NTP server configuration).
Disable clients that only support weak ciphers: (System --> Configuration --> Security --> SSL Options --> Encryption Strength Option --> Enable checkbox for ‘Do not allow connections from browsers that only accept weaker ciphers’.)
Lock down administrative login to only internal or management interfaces. Administrators should not be allowed to login from the internet. The default is to have external port admin logins disabled. (Administrators --> Admin Realms --> --> Authentication Policy --> Source IP –> Ensure that "Enable administrators to sign in on the External Port" is not enabled).
Add realm level restrictions for admin realms and roles.
Lock down serial console access with a password. (You'll need to do this from the console port command line interface.)
Encrypt backed up configuration exports, store them securely.
Do not use "admin", "administrator" or other popular administrator login names. Chose an administrator username that is non-standard.
Rename the default admin sign in URL from /admin to something non-standard.
Two factor authentication (2FA): We recommend the use of two factor authentication. A One Time Password (OTP) or Client Certificate Authentication are two good options that are available. 2FA is more secure than the standard user chosen passwords for a number of reasons. An OTP token can only be used a single time and therefore are not able to be reused if an attacker was able to capture one. Long, unique, and complex passwords are required to be secure today, however most users have trouble remembering them which causes usability issues. Using 2FA can solve both of those issues.
If possible use client certificate authentication with OCSP or a CRL on the server-side with secondary authentication for sign-in realms. (AD/LDAP authentication servers).
Host Checker: We recommend using Host Checker to ensure that clients are running antivirus software that is up to date. Host Checker can be used to verify an endpoint for many requirements including having a firewall enabled.
We recommend using a current and updated version Firefox, Chrome, Internet Explorer, or Safari. These browsers support TLS 1.2 and also have a good track record for making quick security updates for vulnerabilities.
Security updates and advisories:
Subscribe to alerts: Ensure that you are subscribed to security advisories to keep yourself up to date on current fixes provided by Pulse Secure. Currently, Pulse is utilizing the TSB system for our security advisories. (This will be an option once we have a new Pulse Secure Security Advisory system online.)
Software updates: We recommend that all customers use Pulse Secure Customer Support Center recommended releases, or newer. This ensures that you have the most reliable and secure software release on your Pulse Secure devices.